Phishing and Social Engineering

• What is social engineering?

  In a social engineering attack, an attacker would use human interaction (social skills) to obtain or compromise information about UNC or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by asking questions, he or she may be able to piece together enough information to infiltrate UNC’s  network. If an attacker is not able to gather enough information from one source, he or she may contact another source within UNC and rely on the information from the first source to add to his or her credibility.

• How do I protect myself and UNC against a social engineering attack?
  • If you ever suspect you may be involved with a social engineering attack, refer the individual to your supervisor immediately.  If your supervisor isn’t available, let the individual know you will have your supervisor get back with him/her.
  • Do not give sensitive information to anyone unless you are sure that they are indeed who they claim to be and that they should have access to the information.
  • Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
  • Do not provide personal information or information about UNC , including its structure or networks, unless you are certain of a person's authority to have the information.
• What is phishing?

  Phishing is a form of social engineering. Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization. For example, an attacker may send email seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to the accounts. Phishing attacks may also appear to come from other types of organizations, such as charities. Attackers often take advantage of current events and certain times of the year such as natural disasters (e.g.,Hurricane Katrina, Indonesian tsunami), epidemics and health scares (e.g.,H1N1), tax season, economic concerns (e.g., IRS scams), major political elections, holidays, or the death of high profile person.

• How do I report a phishing email I received?

  Forward the phishing email to the Technical Support Center at help@unco.edu. 

• What if I responded to a phishing attempt?

  Immediately change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future. Then, contact the Technical Support Center at 970-351-4357 right away for further instructions.

• How would I spot a phishing scam?

  Phishing will come in an email soliciting a response from you either by replying to the email or by clicking on a link within the email that will direct you to a website.  To spot a phishing scam, look for the following:

  • Generic email greeting-A typical phishing email will have a generic greeting, such as “Dear User.”
  • False sense of urgency-“Your account will be disabled if it’s not updated within three (3) business days!”
  • Fake Links-Many phishing emails have a link that looks valid, but sends you to a fraudulent site. Example: www.secure-paypal.com
  • Attachments- Similar to fake links, attachments can be used in phishing emails and are dangerous.
  • Sender’s email address-The “From” line may include an official-looking email address that may actually be copied from a genuine one. However, the email address can easily be altered – it’s not an indication of the validity of any email communication.
  • Deceptive URLs-Examples:
    http://signin.paypal.com@10.19.2.4/
    http://83.17.125.18/pp/update.htm?= https://www.paypal.com/=cmd_login_access
    www.secure-paypal.com
• But what if the email is genuine?

  If you feel the email is valid but are not sure, the best thing to do is to open a new browser window and type the address of the website you trust in manually. Or contact the supposed sender of the email via phone at a number published on their company-owned website to verify the legitimacy of the email.

• What if the email has an attachment?

  Avoid clicking on email attachments whenever possible, especially if you don’t know the sender! It could cause you to download spyware or a virus.

• Is there somewhere I can go to see if I would be able to spot a phishing scam before it happens to me?

  Yes! Test yourself with this fun interactive game from OnGuard.

• How do I know if a website is secure?

  There are 2 things to look for to know if a website is secure:

  • Look at the website address. https:// means the site is secure. If it only has http://, that is not secure. Don’t enter any personal information on a website (including username and password) if the site is not secure.
  • If there is a secure lock icon in the status bar at the bottom right-hand corner of the browser window, the site is secure. Many fake sites will put this icon inside the main window to deceive you.
• What is social engineering?

  In a social engineering attack, an attacker would use human interaction (social skills) to obtain or compromise information about UNC or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by asking questions, he or she may be able to piece together enough information to infiltrate UNC’s network. If an attacker is not able to gather enough information from one source, he or she may contact another source within UNC and rely on the information from the first source to add to his or her credibility.

• How do I protect myself and UNC against a social engineering attack?

  If you ever suspect you may be involved with a social engineering attack, refer the individual to your supervisor immediately. If your supervisor isn’t available, let the individual know you will have your supervisor get back with him/her.

  • Do not give sensitive information to anyone unless you are sure that they are indeed who they claim to be and that they should have access to the information.
  • Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
  • Do not provide personal information or information about UNC , including its structure or networks, unless you are certain of a person's authority to have the information.
• Will Microsoft Tech Support call me because I have a virus or my computer is slow?

  No. UNC’s Information Security Team has been notified that there is a company posing as Microsoft Support saying that your PC has a virus or is running slow and that they would like to help.  The support person then wants to get access to your computer via a remote meeting. At this point they want to install software on your computer and may offer to sell you an Antivirus program.  

  What they are really doing is attempting to Phish you or use Social Engineering to gain access to your credit cards and bank accounts.
  If someone claiming to be from Microsoft tech support calls you:

  • Do not purchase any software or services.
  • Never give control of your computer to a third party unless you can confirm that it is a legitimate representative of a computer support team with whom you are already a customer.
  • Please take the caller's information down and immediately report it to your local authorities.
  • Never provide your credit card or financial information to someone claiming to be from Microsoft tech support.